X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fwebsites%2Fdefault.nix;h=e69080e9dc2ae14c43f785796c8379468e5aeb9c;hb=0540384561541f94435ad0f6e268e6989fb1d37a;hp=ef79cb3cbf77b52f604746607e878f03890b604c;hpb=589aeb9297f6f2a99b98c07cb9a834bb5e25b9f0;p=perso%2FImmae%2FConfig%2FNix%2FNUR.git diff --git a/modules/websites/default.nix b/modules/websites/default.nix index ef79cb3c..e69080e9 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -23,14 +23,6 @@ in Name of the webapp dir to create in /run/current-system ''; }; - webappDirsPath = mkOption { - type = str; - readOnly = true; - description = '' - Full path of the webapp dir - ''; - default = "/run/current-system/${cfg.webappDirsName}"; - }; env = mkOption { default = {}; description = "Each type of website to enable will target a distinct httpd server"; @@ -94,6 +86,17 @@ in }; }; }; + vhostNoSSLConfs = mkOption { + default = {}; + description = "List of no ssl vhosts to define for Apache"; + type = attrsOf (submodule { + options = { + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; + }; + }); + }; vhostConfs = mkOption { default = {}; description = "List of vhosts to define for Apache"; @@ -126,6 +129,17 @@ in }; }); }; + # Readonly variables + webappDirsPaths = mkOption { + type = attrsOf path; + readOnly = true; + description = '' + Full paths of the webapp dir + ''; + default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair + name "/run/current-system/${cfg.webappDirsName}/${name}" + ) cfg.webappDirs; + }; }; config.services.httpd = let @@ -135,7 +149,7 @@ in serverAliases = [ "*" ]; enableSSL = false; logFormat = "combinedVhost"; - documentRoot = "${config.security.acme.directory}/acme-challenge"; + documentRoot = "/var/lib/acme/acme-challenge"; extraConfig = '' RewriteEngine on RewriteCond "%{REQUEST_URI}" "!^/\.well-known" @@ -164,9 +178,9 @@ in }; toVhost = ips: vhostConf: { enableSSL = true; - sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem"; - sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem"; - sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem"; + sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; + sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; + sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; logFormat = "combinedVhost"; listen = map (ip: { inherit ip; port = 443; }) ips; hostName = builtins.head vhostConf.hosts; @@ -174,6 +188,15 @@ in documentRoot = vhostConf.root; extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; }; + toVhostNoSSL = ips: vhostConf: { + enableSSL = false; + logFormat = "combinedVhost"; + listen = map (ip: { inherit ip; port = 80; }) ips; + hostName = builtins.head vhostConf.hosts; + serverAliases = builtins.tail vhostConf.hosts or []; + documentRoot = vhostConf.root; + extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; + }; in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair icfg.httpdName (mkIf icfg.enable { enable = true; @@ -187,6 +210,7 @@ in extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ] ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ] + ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs) ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs) ++ [ (redirectVhost icfg.ips) ]; }) @@ -199,7 +223,7 @@ in } ) cfg.env; - config.security.acme.certs = let + config.security.acme2.certs = let typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: attrValues v.vhostConfs